I used Lili (LinuxLive USB Creator) to create a bootable USB Stick based on the 64bit Lubuntu 13.04 iso with Windows 8 Uefi secure boot. The stick starts only in legacy boot, but not in Uefi mode.

Then, I tried it with a CD ROM, because some people belives that some old and hidden stuff on the USB stick could disturb the boot processus. I clicked on the ISO image (also in Windows 8 UEFI secure boot mode) "burn to CD ROM" as described f.ex. here: https://help.ubuntu.com/community/BurningIsoHowto

It does not work with Uefi secure boot. The error message is:

CDRom has been blocked by the current security policy [OK]

as Canonical had not a Uefi licence for *buntu. When I start with Uefi, but secure boot disabled, there is even not Error message. In Legacy mode, the CD ROM works fine.

As I have to start in Uefi secure boot mode to install *buntu 13.04 alongside Windows 8 in Uefi secure boot mode: How to burn a bootable live CD in Uefi secure boot mode? Either with Win 8 or Win XP or Mac OS 10.4.11 or a Live CD in legacy mode?

1 Answer
1

In theory, Ubuntu 12.04.2 (but not 12.04), 12.10, and 13.04 all support Secure Boot via a program called shim, and their installers should boot with Secure Boot active. In practice, there seem to be a lot of problems with that. I'm not sure if this is because of configuration errors, because of the fact that Ubuntu is still using the old shim version 0.1, or because of bugs in some computers' Secure Boot implementations. If you're running into such problems, I have three suggestions:

You can disable Secure Boot on the computer in question. This is usually the easiest approach to take. Note that this will not prevent you from booting Windows. The drawback is that you'll lose the security benefits that Secure Boot provides -- but this is no worse than running Windows on a BIOS-based computer.

You can use the more up-to-date shim version 0.2 with Ubuntu. This is most easily done by disabling Secure Boot, installing Ubuntu, installing the updated shim, and then re-enabling Secure Boot. Note that once you re-activate Secure Boot, you'll need to manually register Canonical's/Ubuntu's public key in your Machine Owner Key (MOK) list. This key is available in the Ubuntu shim package, IIRC; or you can get it in my rEFInd.zip file. You register the key when you reboot; when shim launches and sees an unknown signature on the GRUB binary, shim launches a program called MokManager, which has a user interface akin to that of an Apple II. You use MokManager to navigate to the public key file you want to enroll in the MOK.

You can try the Linux Foundation's PreBootloader instead of shim. You'll need to install it (and its associated HashTool.efi file) in much the same way you'd install shim. Instead of enrolling a public key, though, you must register your boot loader, and possibly your kernels, with the PreBootloader. Overall, this is likely to be harder to use in the long run; but if it works and shim doesn't, it may be your only choice.

Note that with either shim 0.2 or PreBootloader, if you choose to put the new program on your installation medium, that will affect only the boot of the installer; when the installer sets up Ubuntu, it will install Ubuntu's old shim 0.1. If the source of your problem is shim 0.1, this means that you'll need to disable Secure Boot and install shim 0.2 or PreBootloader on your hard disk. Thus, there's little point to modifying the installation medium; it's simpler to temporarily disable Secure Boot when installing Ubuntu.